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Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the 
fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. 
Since this application is eligible for continued examination under 37 CFR 

1.1 14, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality 
of the previous Office action has been withdrawn pursuant to 37 CFR 1.1 14. 
Applicant's submission filed on September 18, 2008 has been entered. 

Response to Amendment 

2. The amendment filed on September 18, 2008 has been fully considered 
but are not deemed persuasive. 

Response to Arguments 

Applicant's arguments regarding the 101 rejection is not persuasive. A memory 
for storing a data structure for tracking network behavior, comprising: a 
connection table containing a record that stores information about traffic to or 
from the node and between that node and others nodes in the network fits a 
data structure with mere arrangements of data in a table. Therefore it is a non- 
statutory subject matter. 
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Applicant's remarks regarding the 101 rejection continues to be unpersuasive. 
For example, the footnote at the bottom of page 8 states "when functional 
descriptive material is recorded on some computer-readable medium it 
becomes structurally and functionally interrelated to the medium and will be 
statutory in most cases The Examiner notes that data structure stored in a 
table as claimed by the Applicant is considered as non-functional descriptive 
material. Additionally, the claim recites a "memory story data structure..." not 
"some computer-readable medium" as indicated in the footnote. 

Applicant's arguments regarding the double patenting rejection are not 
persuasive. The Examiner maintains that claims 1 and 14 of Copending 
Application 10/701154 and Claims 1, 19 and 25 of Copending Application 
10/701356 contain every element of claim 1 of the instant application and as 
such anticipate(s) claim 1 of the instant application. Therefore, the narrower 
claims of the co-pending invention anticipate the broader claims of the instant 
application. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. 

"A later patent claim is not patentably distinct from an earlier patent claim if 
the later claim is obvious over, or anticipated by, the earlier claim. In re 
Long], 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness- 
type double patenting because the claims at issue were obvious over claims in 
four prior art patents); In re Berg , 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. 
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Cir. 1998) (affirming a holding of obviousness-type double patenting where a 
patent application claim to a genus is anticipated by a patent claim to a species 
within that genus). " ELI LILLY AND COMPANY v BARR LABORATORIES, INC., 
United States Court of Appeals for the Federal Circuit, ON PETITION FOR 
REHEARING EN BANC (DECIDED: May 30, 2001). 

Arguments regarding the 102/103 rejections, in essence the Applicant argues 
that "The claimed "record feature" embodied in the memory o f claim 1 is not 
suggested by any of the passages referred to by the examiner or else where in 
Tarns.", and that Tarns "... does not provide any mechanism to map each node 
of a network to a record object that stores information ... to or from the node 
and between that node and other nodes in the network." (Page 1 1 second 
paragraph and page 12). 

Examiner respectfully disagrees. In addition to Tarns' Table 2 and 1 02 10 
which show a connection table that maps nodes (identified by an IP addresses 
such as 123.45.67.89 and host object/or destination IP address 98.76.54.32) 
and record indicating number of packets in the conversation between the 
hosts, Tarns shows in figure 9 a table containing "Two conversations were 
detected during this first hourly time period. A first conversation between 
devices A and B which involved 10 packets and a second conversation between 
devices A and E which involved 6 packets. The number of bytes, in addition to 
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the number of packets, may also be stored in each record of the database 707." 
(Para. 210). (The conversation between host A and host B and/ or host E shows 
record containing number of packets between the hosts such 10 and 6). 

Applicant also argues that "Tams's data is organized by byte/ packet count... 
rather than organize records by host or host-pair" page 12 second paragraph. 
The Examiner disagrees. Tarns for example teaches "The entries in alMatrix 
and nlMatrix tables are ordered by address and protocols." (10021). Therefore, 
contrary to Applicant's argument Tarn's data is also ordered by addresses in 
addition to byte /packet count and protocols. 

Regarding claim 5, the Applicant argues that Tarns "Table 2 does not show 
records indexed by source address or by destination address." (Page 14). Tarns 
teaches ordering traffic data by addresses including source and/ or destination 
(10021 and 10178). 

As to indexing by time, Tarns clearly shows time stamp traffic information 
indicating the conversation between hosts that is stored in a database by 
different time interval. See 10198 and 10201-0208 and the time scale data 
structure 709,711,713 and 715 in fig. 7. 
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Regarding claim 13, the Applicant argues Tarns does not disclose records that 
store a measure of "...connections that occurred between hosts..." The 
Examiner disagrees. Tarns show fig. 7 and figure 9 where records that stores a 
measure of "...connections that occurred between hosts..." is shown. 

The Applicant also argues "Maufer does not teach "the addresses indexing the 
connection include a physical layer address to IP address map that is used to 
determine Host ID." Page 16. The Examiner notes that Maufer discloses a 
physical [layer] address to IP address map that is used to determine Host ID 
(col. 16, line 51-65 and table 300, fig. 5A. See also col. 5, lines 36-60). 

The Applicant continues to argue that "Maufer clearly does not teach any 
mapping for use in a connection table of the type in claim 1 for a function to 
determine Host ID in the connection table. The Examiner disagrees. It seems 
the Applicant is arguing against the references individually. The feature of the 
connection table is addressed by Tarns while Maufer is used to teach a physical 
[layer] address to IP address map that is used to determine Host ID (col. 16, 
line 51-65 and table 300, fig. 5A. See also col. 5, lines 36-60). 

Regarding claim 12 and the features of two level mapping, after further 
examination, the Examiner believes that figure 9 and 10 address the argued 
limitations in claim 12. For example Tarns teaches "Two conversations were 
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detected during this first hourly time period. A first conversation between 
devices A and B which involved 10 packets and a second conversation between 
devices A and E which involved 6 packets. The number of bytes, in addition to 
the number of packets, may also be stored in each record of the database 707." 
(Para. 210). 



Claim Rejections - 35 USC §101 



35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, 
manufacture, or composition of matter, or any new and useful improvement 
thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 



Claim 1 is rejected under 35 U.S.C. 101 because it is directed to a data 
structure ("A memory for storing a data structure for tracking network 
behavior, comprising: a connection table ..." When nonfunctional descriptive 
material is recorded on some memory, it is not statutory since no requisite 
functionality is present to satisfy the practical application requirement. Merely 
claiming nonfunctional descriptive material, i.e., abstract ideas, stored in a 
memory, does not make it statutory. 
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Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created 
doctrine grounded in public policy (a policy reflected in the statute) so as to 
prevent the unjustified or improper timewise extension of the "right to exclude" 
granted by a patent and to prevent possible harassment by multiple assignees. 
A nonstatutory obviousness-type double patenting rejection is appropriate 
where the conflicting claims are not identical, but at least one examined 
application claim is not patentably distinct from the reference claim(s) because 
the examined application claim is either anticipated by, or would have been 
obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 
USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 
(Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In 
re Van Omum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 
F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 
163 USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 
1.321(d) may be used to overcome an actual or provisional rejection based on a 
nonstatutory double patenting ground provided the conflicting application or 
patent either is shown to be commonly owned with this application, or claims 
an invention made as a result of activities undertaken within the scope of a 
joint research agreement. 
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Effective January 1, 1994, a registered attorney or agent of record may 
sign a terminal disclaimer. A terminal disclaimer signed by the assignee must 
fully comply with 37 CFR 3.73(b). 

Claims 1-17 are provisionally rejected on the ground of nonstatutory 
obviousness-type double patenting as being unpatentable over claims 1-22 of 
copending Application No. 10701154 and claims 1-36 of copending Application 
No. 10701356. Although the conflicting claims are not identical, they are not 
patentably distinct from each other a comparison between instant application 
independent claim 1 and the claims 1 and 14 (of the copending application 
number 10701154) and claims 1, 19, and 25 (of the copending application 
number 10701356) reveal the copending claims are simply species of the 
broader claim 1 of the instant application. Hence, claim 1 of the instant 
application is generic to the species of the invention covered by independent 
claims of the copending applications stated above. Thus, the broad generic 
invention is anticipated by the narrower species of the co-pending invention, 
thus without a terminal disclaimer, the species claims preclude issuance of the 
generic application. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. 
Cir. 1993). 



Instant Application 
10/701155 


Copending Application 
10/701154 


Copending Application 
10/701356 


Claim 1 : A memory device 
storing a data structure for 
tracking network behavior, 


Claims 1: A system, 
comprising: 
a plurality of collector 


Claims 1 : A device 
comprising: 
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a connection table that 
maps each node of a 
network to a record object 
that stores information 
about traffic to or from the 
node and between that node 
and others nodes in the 
network. 



devices that are 
disposed to collect 
statistical information 



on packets that are 
sent between nodes 
on a network ; 



- an aggregator that 
receives network 
data from the 
plurality of collector 
devices, 

and which produces 
a connection table 
that maps each node 
on the network to a 
record that stores 
information about 
traffic to or from the 
node. 



Claim 14, A method, 
comprises: providing a 
plurality of collector 
devices in a network 
to collect statistical 
information on 
packets that are sent 
between nodes on a 
network; and sending 
statistical information 
from the collector 
devices to an 
aggregator, the 
aggregator 



producing a 
connection table 
that maps each node 
on the network to a 



a memory storing a 
connection table 
that maps each node 
of a network to a 
host object, the 
connection table 
stores information 
about traffic to or 
from the node. 



Claim 19, A computer 
program product 
residing on a 
computer readable 
medium for use in 
detecting network 
intrusions comprises 
instructions for 
causing a processor 
to: 



store a connection 
table that maps each 
node of a network to 
a host object, the 
connection table 
stores information 
about traffic to or 
from the node 
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1 


record that stores 
information about 
traffic to or from the 
node 

1 and 14 


1, 19 and 25 


2 


8 and 17 


5 


3 


9 and 18 


6 


4 


10 and 19 


7 


5 


1 1 and 20 


8 


6 


12 and 21 


9 and 30 


7 and 8 


13 and 22 


10 and 31 



This is a provisional obviousness-type double patenting rejection because 
the conflicting claims have not in fact been patented. 



Claim Rejections - 35 USC §102 



The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in 
this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another 
filed in the United States before the invention thereof by the applicant for patent, or on an 
international application by another who has fulfilled the requirements of paragraphs (1), 
(2), and (4) of section 371(c) of this title before the invention thereof by the applicant for 
patent. 



The changes made to 35 U.S.C. 102(e) by the American Inventors 
Protection Act of 1999 (AIPA) and the Intellectual Property and High Technology 
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Technical Amendments Act of 2002 do not apply when the reference is a U.S. 
patent resulting directly or indirectly from an international application filed 
before November 29, 2000. Therefore, the prior art date of the reference is 
determined under 35 U.S.C. 102(e) prior to the amendment by the AIPA (pre- 
AIPA 35 U.S.C. 102(e)). 

Claims 1-9 and 1 1-17-23 and 25-30 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Tarns et al U.S. Publication Number (20030069952), 
hereinafter "Tarns". 

As per claim 1, Tarns (20030069952) teaches a memory device (fig. 2, 162 and 
fig. 9) storing a data structure for tracking network behavior [J 0079-0081 and 
Tf0198), comprising: 

a connection table (fig, 2, data table and Table 2, page 11. See also fig. 9) 
that maps each node of a network (host A-host B) to a record that stores 
information about traffic to or from the node and between that node and others 
nodes in the network (number of packets in fig. 9 for example) flj 0157-0164 
and H0210. See TABLE 2, page 11). 

As per claims 2 and 3, Tarns teaches wherein the connection table includes a 
plurality of records that are indexed by source and destination address (See 
TABLE 2, page 11 and 0021 and 10178). 
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As per claim 4, Tams teaches the device of claim 1 wherein the connection 
table includes a plurality of records that are indexed by time (Tf0198 and 
U020 1-0206; see steps in fig. 8). 

As per claim 4, Tams teaches the device of claim 1 wherein the connection 
table includes a plurality of records that are indexed by time (1J0198 and 
Tf020 1-0206; see steps in fig. 8). 

As per claim 5, Tams teaches the device of claim 1 wherein the connection 
table includes a plurality of records, that are record objects, which are indexed 
by source address, destination address and time (See TABLE 2, page 1 1 and J 
0198 and 1 0201-0206. See also fig. 9 1 0201 and 1 0178). 

As per claim 6, Tams teaches the device of claim 1 wherein the connection 
table is a plurality of connection sub-tables each sub-table having data 
pertaining to network traffic over different time scales (TJ0198 and 1(020 1-0208; 
see the time scale data structure (709,711,713 and 715 in fig. 7). 

As per claim 7, Tams teaches the device of claim 6 wherein the connection sub- 
tables include a time-slice connection table that operates on a small unit of 
time and at least one other sub-table that operates on a larger unit of time 
than the time slice sub-table. (10198 and 1|020 1-0208; see the time scale data 
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As per claim 8, Tarns teaches the device of claim 7 wherein the at one sub-table 
holds records received from all collectors over the time scale of the table (10198 
and 10212). 

As per claim 9, Tarns teaches the device of claim 5 wherein the addresses 
indexing the connection table are IP addresses (See TABLE 2, page 11). 

As per claim 1 1 , Tams teaches the device of claim 1 wherein the host record of 
a first host maps that firs host (host A, figure 9) to a second host (host B and 
host C) which communicates with the first host to a "host pair record" that has 
information about all the traffic from between the first and second hosts (Fig. 9 
and 10; 10201 and 10209-0210). 

As per claim 12, Tams shows a connection table includes a two level mapping 
that enables a consuming device to obtain summary information about one 
host for a first level mapping and about the traffic between any pair of hosts in 
either direction, between a first one of the hosts of any pair to a second one of 
the hosts of the any pair and from the second one of the host of the any pair to 
the first one of the host for the any pair for a second level mapping (figure 9-10 
and 10201-0209). 
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As per claim 13, Tams teaches the device of claim 1 wherein a record the 
connection table comprises a plurality of host record, a host record stores a 
measure of the number of bytes, packets, and connections that occurred 
between hosts during a given time-period (J 0157-0164 and Tf0210. See 
TABLE 2 and figures 9 and 10). 

As per claim 14, Tams teaches wherein data in the record is organized by well 
known transport protocols and well-known application-level protocols (| 0151- 
0157 and 10161- 168. See TABLE 2 and TABLE 4A-4B and figures 9-10). 

As per claim 15, Tams teaches the device of claim 13 wherein host records 
have no specific memory limit (If 0202-0206). 

As per claim 16, Tams teaches the device of claim 1 wherein for application- 
level protocols and for every pair of hosts, the connection table stores statistics 
for traffic between the hosts (1 0151-0157 and H0161-168. See TABLE 2 and 
TABLE 4A and 4C in page 11). 

As per claim 17, Tams teaches the device of claim 16 wherein the connection 
table stores protocol-specific records as (protocol, count) key-value pairs (If 
0151-0157 and T10161-168. See TABLE 2 and TABLE 4A-4B in page 11). 
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As per claim 18, Tams teaches a memory device storing a data structure for 
tracking network behavior (fig. 7, 707), the data structure comprising: 

a connection table (table 2 and fig. 9, 920) that maps each node of a 
network to a record that stores connection information about traffic to or from 
the node and between that node and others nodes (host A-host B or Host A- 
host E (fig. 9) that have connections with the node in the network ( ^02090, 
the connection table indexed according to at least a first one of source address, 
destination address and time (1(0021 and ^0178); the connection table further 
including in the records fields for storing statistical information for traffic 
between the hosts (packet counts in table 2 or fig. 9). 

As per claim 19, Tams teaches the device of claim 1 wherein the plurality of 
records are record objects (See TABLE 2, page 1 1 and 1 0198 and 1 0201- 
0206. See also fig. 9 1 0201 and J 0178). 

As per claim 20, Tams teaches the device of claim 18 wherein the connection 
table is a second plurality of connection sub-tables, each sub-table having data 
pertaining to network traffic over different ones of corresponding second 
plurality of time scales (fig. 7, 207 and figures 9-10). 

As per claim 2 1 , Tams teaches the device of claim 1 8 wherein the connection 
sub-tables include a time-slice connection table that operates on a small unit 
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of time and at least one other sub-table that operates on a larger unit of time 
than the time slice sub-table (See fig. 7 and fig. 9). 

As per claim 22, Tarns teaches the device of claim 18 wherein the at one sub- 
table holds records received from all collectors in the network over the time 
scale of the table (See fig. 7 and fig. 9). 

As per claim 23, Tarns teaches the device of claim 18 wherein the addresses 
indexing the connection table are IP addresses (U0021 and 10178). 

As per claims 25-27, these claims correspond to claims 11-14, therefore they 
are rejected with the same rational. 

As per claims 29-30, these claims correspond to claims 16-17, therefore they 
are rejected with the same rational. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S. C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
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skill in the art to which said subject matter pertains. Patentability shall not be negatived by 
the manner in which the invention was made. 

Claims 10 and 24 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Tarns et al U.S. Publication Number (20030069952), hereinafter " Tarns" 
in view of Maufer et al U.S. Patent Number (7120930), hereinafter " Maufer". 
As per claims 10 and 24, although Tarns shows substantial features of the 
claimed invention including a table with plurality of records, he does not 
explicitly show a physical [layer] address to IP address map that is used to 
determine Host ID. 

Nonetheless, this feature is well known in the art and would have been an 
obvious modification of the system disclosed by Tarns, as evidenced by Maufer 
U.S. Patent Number (7120930). 

In analogous art, Maufer whose invention is about a Method and apparatus for 
enhanced security for communication over a network including a mapping 
table accessible by a gateway computer used to form associations between a 
local address for the client and a destination address for a peer and a Security 
Parameters Index associated with IPSec-protected traffic from the peer 
(abstract), discloses a physical [layer] address to IP address map that is used to 
determine Host ID (col. 16, line 51-65 and table 300, fig. 5A. See also col. 5, 
lines 36-60). 
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Giving the teaching of Maufer, a person of ordinary skill in the art would have 
readily recognized the advantage of modifying Tarns by employing the enhanced 
network security system of Maufer for particularly identifying traffic flowing 
from a remote address to the local address using physical layer (MAC) address 
to IP address mapping in order to verify hosts belonging to the private network 
from unknown intruders of the public network. In this way fake packets 
belonging to unknown sources are recognized and discarded. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent 
to applicant's disclosure. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Yasin Barqadle whose telephone 
number is 571-272-3947. The examiner can normally be reached on 9:00 AM 
to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Bunjob Jaroenchonwanit can be reached on 571-272- 
3913. The fax phone number for the organization where this application or 
proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either Private 
PAIR or Public PAIR. Status information for unpublished applications is 
available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access 
to the Private PAIR system, contact the Electronic Business Center (EBC) at 
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 
Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Yasin M Barqadle/ 

Primary Examiner, Art Unit 2456 



